mirrors/hedgedoc
1
0
Fork 0
mirror of https://github.com/hedgedoc/hedgedoc.git synced 2024-09-19 23:48:57 -04:00
Code Issues Projects Releases Packages Wiki Activity Actions

Update filter XSS to allow attr href starts with '.' or '/'

Browse source
This commit is contained in:
Cheng-Han, Wu 2016-04-20 18:18:52 +08:00
parent b823ed1d7c
commit f6a995143d
1 changed files with 6 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

6
public/js/render.js
View file

@ -14,6 +14,12 @@ var filterXSSOptions = {
return html;
}
},
onTagAttr: function (tag, name, value, isWhiteAttr) {
// allow href starts with '.' or '/'
if (isWhiteAttr && name === 'href' && (value.indexOf('.') == 0 || value.indexOf('/') == 0)) {
return name + '="' + filterXSS.escapeAttrValue(value) + '"';
}
},
onIgnoreTagAttr: function (tag, name, value, isWhiteAttr) {
// allow attr start with 'data-' or in the whiteListAttr
if (name.substr(0, 5) === 'data-' || whiteListAttr.indexOf(name) !== -1) {